ACE Load Balancer: Configure the Load-Balancing Service

There are quite a few ways to structure the configuration of the Load Balancing Service on a Cisco ACE device, or a Load Balancer (LB). The official Cisco documentation can be a bit overwhelming, as you can see here. Heres the approach that I´ve always found simple to understand.Step 1
Define the REAL SERVERS (rservers or physical servers) that will participate the Load-Balancing process. The number of Real Servers (rservers) within the Server Farm can vary, where 1 server would logically be the minimum, and the maximum depend on the Balancer model. In this example two Real Servers are configured, with names SERVERCISQUEROS03 and SERVERCISQUEROS04, and the respective IP Addresses 10.187.4.42 and 10.187.4.43.

Define the ratio between the Real Servers in the farm using the "weight X" command. In this case the value X will be 1, so the load will be equally ballanced between the two servers.

From the Global Configuration mode:

 rserver host SERVERCISQUEROS03
 ip address 10.187.4.42
 weight 1
 inservice


 rserver host SERVERCISQUEROS04
 ip address 10.187.4.43
 weight 1
 inservice


Step 2
Define the PROBE. The Probe helps the balancer verify that the Real Servers are available, and providing the Service that we are trying to establish using the exact physical PORT (9080 in this case).

The probe can be TCP, Http, Https... Be careful here! This defines the connection between your ACE and the Real Servers, not between the Client and the Real Server, so make sure how your servers are configured.

In this example I did the http probe that uses the GET method, and goes for /Index.html on the server.

 probe http web_cisqueros.blogspot.com
  port 9080
  interval 30
  faildetect 2
  request method get url /index.html
  expect status 200 200

Other attributes I used in the configuration:

interval 30 #Probe gets launched against the server every 30 seconds faildetect 2 #If the probe fails to get the response from the server twice, it changes the state to "FAILED"expect status 200 200 #Status the probe expects from the Real Server (2xx codes indicate success)


Step 3

Define the SERVER FARM that will inter-connect the two connected Real Servers with the configured Probe. Put both of the configured rservers "in service".

serverfarm host SRV_cisqueros.blogspot.com
 description *** Cisqueros Server Farm ***
 predictor roundrobin
 probe web_cisqueros.blogspot.com
 rserver SERVERCISQUEROS03 9080
  inservice
 rserver SERVERCISQUEROS04 9080
  inservice


Step 4

Define the Layer 7 Policy Map to specify the match criteria and action, and relate it to your Server Farm.

 policy-map type loadbalance first-match PM-VIP-cisqueros.blogspot.com
  class class-default
   serverfarm SRV_cisqueros.blogspot.com


Step 5

Define the Layer L3-L4 Class Map to specify the LB match criteria applied to input traffic. Be sure to know the Load Balancing Service VIP (Virtual IP) address beforehand.

 class-map match-all VIP-cisqueros.blogspot.com
  2 match virtual-address 10.187.4.111 tcp eq 9080


*The number "2" is due to the configuration Best-Practice, its a rule sequence number and this way we can modify the Class Map later adding the 1st rule

Step 6

Define, or use the already existing L3-L4 Policy Map that you are using for the other Balanced Services. Within it define the Class Map for this particular Load Balancing Service, and connect it to the already configured Layer 7 Policy Map.

 policy-map multi-match PM-VIP
  class VIP-cisqueros.blogspot.com
   loadbalance vip inservice
   loadbalance policy PM-VIP-cisqueros.blogspot.com
   loadbalance vip icmp-reply active


Some commands to check the validity of the configured Server Farm and Probe:

 #show probe web_cisqueros.blogspot.com [details]
 #show serverfarm SRV_cisqueros.blogspot.com


ACE Load Balancer: Redirection - HTTP to HTTP/HTTPS

In this document I´ll explain how to filter the http protocol on a Cisco ACE Load Balancer, and how to redirect the filtered http traffic to another URL. This concept is widely used for http-to-https redirection.


Step 1 Create the redirection rserver

rserver redirect REDIRECT-HTTP-APP
  webhost-redirection url_redirect HTTP_CODE
  inservice


The url_ url_redirect is the URL where the traffic will be redirected to, and the HTTP_CODE is the code of redirection (normaly it will be 301 or 302).
If we wish the URL to stay the same, as is normally the case of redirection to Https, we will use the %h%p instead of the URL.

%h stands for Hostname. If you have only %h then http://cisqueros.blogspot.com/mat.html will redirect you to https://cisqueros.blogspot.com

%p stands for Path

301 redirects are permanent. They mean that the page has moved, and they request any search engine or user agent coming to the page to update the URL in their database. This is the most common type of redirect that people should use.

302 - temporary redirect

You can read about these redirects here.

Step 2 Create the Server Farm that will contain the redirection rserver

serverfarm redirect SRV-REDIRECT-HTTP-APP
  rserver REDIRECT-HTTP-APP
    inservice



Step 3 Create the class-map

class-map match-all VIP-APP-REDIRECT
2 match virtual-address X.X.X.X tcp eq www


Where the X.X.X.X is the Virtual IP


Step 4 Create the policy-map, and correlate it to the previously configured Server Farm

policy-map type loadbalance first-match PM-VIP-APP-REDIRECT
  class class-default 
      serverfarm SRV-REDIRECT-HTTP-APP



Step 5 Apply the configuration to the Layer3-4 existing policy map

policy-map multi-match PM-VIP
  class VIP-APP-REDIRECT
    loadbalance vip inservice
    loadbalance policy PM-VIP-APP-REDIRECT
    loadbalance vip icmp-reply active

DAI - Dynamic ARP Inspection

(config)#ip arp inspection vlan 2 <--- Inspect ARP within the VLAN 2

You can create a ARP Access List and map the IP to MAC, and apply it to DAI:
 (config)#arp access-list ARP_ACL_20
 (config-arp-nacl)#permit ip host 20.1.1.2 mac host 0000.1111.1111
 (config-arp-nacl)#permit ip host 20.1.1.3 mac host 0000.3333.3333
And now APPLY:
 (config)#ip arp inspection filter ARP_ACL_20 vlan 2

 #show ip arp inspection

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
    2     Enabled          Active      ARP_ACL_20         No

 Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
    2     Deny             Deny              Off

 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    2              0              0              0              0

The switch CPU performs dynamic ARP inspection validation checks; therefore,
the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack.
(config-if)#ip arp inspection limit rate 5 <--- DEFAULT IS 15 PPS (packets per second)

#show ip arp inspection interfaces

 Interface        Trust State     Rate (pps)    Burst Interval
 ---------------  -----------     ----------    --------------
 Gi3/0/1          Untrusted                5                 1 <--- THE CHANGED ONE
 Gi3/0/2          Untrusted               15                 1 <--- 15 pps IS THE DEFAULT VALUE

To monitor the DROPPED packets due to DAI:
(config)#ip arp inspection log-buffer logs 0 interval 5 <--- LOG 0 - NO SYSTEM MESSAGE GENERATED

Check the log for details:
#show ip arp inspection log
Total Log Buffer Size : 32
Syslog rate : 0 entries per 5 seconds.

ACE Load Balancer SSL Certificate Part I, Generate the CSR


ACE Load Balancer SSL Certificate Part I, Generate the CSR (Certificate Signing Request)

You have more than one Real Servers, and its much more practical to install an SSL certificate once, on the ACE Load Balancer, then to install it on each and any of the Servers within the Balanced Service.


The CSR is needed for generate or order a new certificate. New certificates are generated by Certificates Authorities (CA) using the CSR as a seed for the certificate generation.

In order to terminate the SSL certificate on the Load Balancer, a few steps must be performed.


Step 1 Define and Configure the Parameters

First thing we need to do is to generate the CSR based on the RSA key and a set of parameters that we need to define and configure on the ACE Load Balancer in the Global Configuration mode:

  (config)# crypto csr-params CSR_CISQUEROS
  (config-csr-params)# country SP
  (config-csr-params)# state MA
  (config-csr-params)# locality MADRID
  (config-csr-params)# organization-name CISQUEROS TECHNOLOGY
  (config-csr-params)# organization-unit NETWORKS
  (config-csr-params)# common-name prevol.cisqueros.blogspot.com
  (config-csr-params)# email cisqueros@blogspot.com


Step 2 Generate the RSA key (2048 in this example)


LB_ACTIVE# crypto generate key 2048 CISQUEROSRSAKEY.PEM
LB_ACTIVE# show crypto files
Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
… … …
CISQUEROSRSAKEY.PEM                    1675  PEM     Yes         KEY
… … …
T1-LBA-01 # show crypto key CISQUEROSRSAKEY.PEM
1024 bit RSA keypair found in CISQUEROSRSAKEY.PEM
Modulus:
9b:d1:06:75:ad:54:8b:81:e5:72:56:58:f9:fc:79:bd:07:51:c2:8b:52:01:bf:8e:c9:8b:20:61:30:7a:4b:62:f7:c3:c3:04:37:b8:46:3e:68:af:21:55:fa:82:e6:a7:58:f6:b0:2b:a2:7e:ac:59:3c:7c:2f:a8:a1:f3:3e:f5:92:9f:56:40:04:cc:ce:4c:33:1d:04:69:51:b6:a5:4a:f7:5a:47:a7:b9:3d:8c:81:
aa:09:83:6f:58:3b:f9:08:f8:33:7c:10:bf:b5:16:61:cc:81:18:4c:a1:39:fe:ac:21:45:4c:20:02:44:44:df:08:68:33:af:0c:99:1b:8d:


Step 3 Generate the CSR Key

CSR is generated from the key and the CSR parameter map, "crypto generate csr" generates the PKCS10 CSR in PEM format and outputs the CSR to the screen
LB_ACTIVE # crypto generate csr CSR_CISQUEROS CISQUEROSRSAKEY.PEM
-----BEGIN CERTIFICATE REQUEST-----
MIIC/DCCAeQCAQAwgbYxCzAJBgNVBAYTAklUMQswCQYDVQQIEwJNSTEPMA0GA1UE
BxMGTUlMQU5PMSQwIgYDVQQKExtHSUUgQVhBIFRFQ0hOT0xPR1kgU0VSVklDRVMx
GDAWBgNVBAsTD1NFUlZJQ0UgQ09OVFJPTDEdMBsGA1UEAxMUcHJldm9sLmF4YS1p
dGFsaWEuaXQxKjAoBgkqhkiG9w0BCQEWG2VtYW51ZWxlLmNhbnR1QGF4YS10ZWNo
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALF38eazErvgTOl7
hP3sAboRGvXzee6+4aTpmC+ZTjeboLkfrehfZfYdEyhgBdu6trM8vxiL6Urzlgj4
RGdUlAfUgHwaXmTOO3QgqsgvdRpyk14lYecN2DytgP1ibq9w3h5MyOP+CfI6Huhv
DyQBILJlSepnJUFOhEOR2YRGdW0HTGgZWCykaUQb3GZSLGHMN5jAzPfvX1WTZNxM
PDQOYsGZ45MssciQp7pl8sXX1xBCvNNuJx1T28LTjA0+ikuFjKyDmfMXpYB8n4oO
76KsdII033zfNZBZQLcTE4rk5nuHfjmfziu5bmk9mqwX3zOughiWTovXxVI960iR
25ZzGa0CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQBdQnM2H+iA4TLQWmYqv8Y5
AEL4pYpdBJDvnMvIVMrG3d8lOJe7AkMHPsTGovd+1fbVh8xw+xRc/nsUfmZmWLCM
LeuLAEhdODPP+vNx3sE3cL2rD/eg+eTXLi5ZrdOlojsknuCihxTq/4fo5DimGr2C
8HNAX+x9NyXOPEjK4AdGsP2NOVfPOAr2dHHv7g7OeDo2ElDXmfXtTdL7NZ8NRJoX
8VDlARGp0zNhh/Urn6oFat4MkhyIfvh8wKCA1uQ4jX19NsfdTjjGaI/Y4q6mpTm9
XqisIh5QKQ/3XJI8gz4YSNF5wegI4XQ6Qwp1QQzQozA2y9Qouu7xqKC0eQKv1dYl
-----END CERTIFICATE REQUEST-----

TIP: CSR is not saved on the Load Balancer. Should you have the need to have it again, you will have to generate it one more time using the same steps.

TIP2: The only thing that the Certificate Authority is interesed in, and what you absolutely must send them is the content between the following two lines in the CSR:
 -----BEGIN CERTIFICATE REQUEST-----
And
 -----END CERTIFICATE REQUEST-----
  Step 4 Export the CSR Key to the Standby Load-Balancer

Export the RSA Key to the standby load-balancer,  in order to avoid desynchronization when saving. First export the RSA key from the original load-balancer:

LB_ACTIVE# crypto export CISQUEROSRSAKEY.PEM terminal

MIICXQIBAAKBgQCb0QZ1rVSLgeVyVlj5/Hm9B1HCi1IBv47JiyBhMHpLYvfDwwQ3
uEY+aK8hVfqC5qdY9rAron6sWTx8L6ih8z71kp9WQATMzkwzHQRpUbalSvdaR6e5
PYyBqgmDb1g7+Qj4M3wQv7UWYcyBGEyhOf6sIUVMIAJERN8IaDOvDJkbjQIDAQAB
AoGBAI3CFYZqM0jY3M6xEDIfKQJ47kF4TxuYE2f5U3QYjqqXV6KagfPPitislOhX
OJpvDkE57f1E0MosRYMWOO1eSB/nvvAIod2Fcj9VZoTexKgyykukzZStYvwaEKKV
pdMaoK31H9olTj2zTl6vzzYs59q0YCEPmp1hvr1A1mMKrQ8BAkEAzXSF5RdLBEuD
isc20/z3FkW+tkJwkeNEoTem1knqSVtQTdTVaGjULgtIexJF8NzHdHf1tYYw6w2o
AESr85j2uQJBAMImR+PeDtyWFOatVeqI+ofgFootW6cPUOaNzBVlY7ehhz2ytRWn
9Neu3tW0v85p0iSZCSH+TdPozn65uIW2oXUCQHAVdopRV8qDC8MlBSNHKOEMsYsq
2dCs5J7zBmB3OIpGd5vOVZI9RivMWgFSKbfKKkG+w9wA1iUVcSacUBZ3x3kCQQCY
v9mL1CfJMWNcYj/YeNDzmkDhkfIsLAawfht1MgIUdcebqUCDu1MNZo33gW/vDJ7D
IIxo7FV7Rg1A8wnUWe4JAkBP8dj2BSY2SCsGPZ7VlaJQBalpxdQIMF52bLdsWNAK
LAakpQffg4I2t8MHNKYPuxMfSsmHPkzrNaDpN9Ohk21J
-----END RSA PRIVATE KEY-----

Then copy it to the other (Standby) load-balancer using the command: crypto import terminal CISQUEROSRSAKEY.PEM

LB_STANDBY# crypto import terminal NAME_OF_THE_KEY.KEY
Please enter PEM formatted data. End with "quit" on a new line.
 -----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEAuDU2bvtOg1PiVKxIdvgZHaURfS+Df/eCq+Y7ASRY8PV7vGpl
 ZfDKVh48TTSu7SsMXSlAf0Rrmn67xnbOL13lIth/C7GgCdHYyX4QB+vdhYN10x8M
 PEUQbQlHS8urFBnQsph8CV/2oUjSWUz/UhqLZidsuddaNUiqN2ZFdO/Baa54laKX
YoGWBYwcRbsL+cirrt/7Xh4/vqXzVjAvBacLcSm7nQ5kArVWI8hFYFDiubEIN2LO
 YoGWBYwcRbsL+cirrt/7Xh4/vqXzVjAvBacLcSm7nQ5kArVWI8hFYFDiubEIN2LO
 keV7eoQxaM1rsvyS5WrB3tBzELI6zpTJVWNkSrLVRR2o6kOx/pM/hms4RzLIO87E
 TGMAzCnNLrQ8PpBESPGMLLjnyXo1iPPFIqz+NwIDAQABAoIBAQCCllasfsO+Hi2J
 UUld7awAdBDd6l0Szuh37JNPz/CtgZnijJqtlfIa8vxUz1BjGe197cynbF3L/KQp
 ofexZKMX/Nqz84w86eMBlLjQpMk56WQR8yS9ZUirw7Qja5MwgMyOj8L+8mTpGbLl
 U8x87Ax+stxFMwHkXEsvUvVSXNWEkNGZRafziJ5X+Skw6EFHOGHlJG1KoyHdTfrr
 KijxTDvMSSu4HzOrKSZTgJ3W3Vg963rdvWmhc9lH2VcwcmABtl1yZNCmEvzYVbqO
 s1ipO2tVeFUD5WC3x03rhKOWwF0XVTe/+W57J6i4EZkAuEfrFIfE1YEh5jGftG+E
 esVIszmBAoGBAPFBfuKV7V/zn4+lJc3SsL9FE9g4ay1Cqx6+d/474HlV9YxT1ba7
 09APF5aNnZjeaH0AqgaSm0uErpgkCVzKTweVXNeQj2j3/DTVZaa5hutSt8CFwY8K
 tl5YuG3obH6GL0+bGBdX0fPw7NGtaPggpihi4pgSOTck98hMcRGeXBPxAoGBAMN3
 MBu4t6RVz7bHf5vqbc8c85kt2iWt27VET/uQPlrIJmjN9HwdFnTuA9WNDpXEmvLi
 qG5BNGV0RB1p1EywFkNYroeGxI+TyvfG5jqV7pCMDOuNeBEpMGq1bFtfmUYyjaXe
 y4jORUD2KK1hgSxtR5xourQ7yJo9McjxE1IwZ7ynAoGACjciv0dn6LMxI2zzv9ZX
 A5JSN8qTxzPWeRPJkutIIvsfzZRTLUyguGObNRXEAZARTpGzoVmd18HDfs+v0c0D
 MagCaWJGoEQ32qjaiAe9DcPP4ggH3R2wASiyjnzT8zuNT0qa54oharnd3TcBhdgk
 EPu26oeDArG/CC0scHmLHpECgYATrDdHUvwIqipRtxp80sdihQNvc1H1YN4wDEQQ
 iZ/8+xAClFf69eKAukPghmXlZPhDYdSZ5C4l1+HTJAeeAEr9VDucoE/AM5vF/FrH
 ord0DORwALkI4SBiXQge2ixPCF+BRj8t8bS+qQfHC304v3bpoxDHewzhmS8djkXn
 i7+lGQKBgAvj9zNIWlAmoAGZISt1LMi+MHn2YjWGOUw3HHeX4G8W57s5IpfjOo+u
 xPP7TGErKkfjTx1BaMR6NhsLlAV0fGURS4U38NcFLaUE1Npa3wOwVOPMcJ8Ozmb9
 MNMqY3s2fZ+W9buRAwdK+8dzkSyNnkDlRDKv5Ey5eVCm2Lp0FzHZ
 -----END RSA PRIVATE KEY-----

ACE Load Balancer SSL Certificate Part II: Install the SSL Certificate


ACE Load Balancer SSL Certificate Part II: Install the SSL Certificate


Once you´ve obtained an actual certificate from one of the Certificate Authorities, such as VeriSign or Thawte you may proceed to the certificate implementation.

As you may see on the picture below, the SSL certificate in this architecture ends on the ACE Load Balancer, therefore saving you the time and money needed to implement the certificate on each of the balanced Servers within the Server Farm behind the ACE Load Balancer.


The next step is performed on the Load Balancer, and it consists of identifying the KEY created and described in the first part of this guide. Once the right KEY is identified we need to EXPORT it and save it temporarily (I tend to simply paste it into the advanced hard-to-use Windows feature called "The Notepad").

LB_Active# crypto export CSRPPPREVOLRSAKEY.PEM

Within the same notepad file we should then paste the CERTIFICATE, so that it looks something like this:


-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAsXfx5rMSu+BM6XuE/ewBuhEa9fN57r7hpOmYL5lON5uguR+t
6F9l9h0TKGAF27q2szy/GIvpSvOWCPhEZ1SUB9SAfBpeZM47dCCqyC91GnKTXiVh
5w3YPK2A/WJur3DeHkzI4/4J8joe6G8PJAEgsmVJ6mclQU6EQ5HZhEZ1bQdMaBlY
LKRpRBvcZlIsYcw3mMDM9+9fVZNk3Ew8NA5iwZnjkyyxyJCnumXyxdfXEEK8024n
HVPbwtOMDT6KS4WMrIOZ8xelgHyfig7voqx0gjTffN81kFlAtxMTiuTme4d+OZ/O
K7luaT2arBffM66CGJZOi9fFUj3rSJHblnMZrQIDAQABAoIBAQCOaiLFb47pFeai
t2zSGEKKfo+UL/75iFSrcomeKPiLx2gDJ1j30RaRmmN1Uxlga0WSMH1pxV1BuJf+
Or0p7sWcQvuYm9CENLuhRVXHr83Zm3iHZJhcQs/0YYfRztvkDj8xMY1E6OgyalHD
VNxhmEYU4xOd94f+EHQzhSd47tHs20gP3vWnqFUg6jPQZkxsNVDkOLci13d0aayv
rXbKzFrM1+6FzAzg76Z+omLRD6f5fLOh8/d3UQele6bTYJjZhoYGtQFxWYxavG+M
EhSUyxDu9XohTzIlGKKqBdwkhPWiUB/KStG7VOPwqhdyGdIsd3a/OctmvyCffZtP
KjumtZIBAoGBAN8tCRAS/nOigK4Al2PAftk1ZamqMYjwnKOEQaNnKa2NGjoG4rX+
YJnM4P5shJGPZOQF0T2UwCcNNVvuaVh96B37IscVbancEHXWahzz4hm3ZheMuZnF
y5EQ9xPHTrqsGDHH3c+Wq0MKv5Cs/ttTImXz+5MLUQzaL4wN9lg95xR1AoGBAMuR
8kUbwsqsR4Mo7pdRdtD8HWZN53RcPEyNa1+YJs2JnGxr1qBezfbOFuY8Q1bnkii3
nPG78ChVVsmht54Wq/+lVKJkWOscPbHgfwv4jAVOZegl/wo1MzoIgu4Iva+hTN1B
V1CQCeOwqwQEnwe9m+eKKSC/K6PWOYtTgL8ntWlZAoGAVd9dSlsUn2favZkqp05N
QMSkDomXL8rtapmcLASo68eMXOGDYGW1w9gqhps4001qk7aNUXWoDh6t9mahEFS5
+LdGJXZgUOiFSOIsyGErEZwY41zZmYqbDoGJoImjCH7pfFYcSiD+WviKx19ZXQj7
BmG/3k+PazOU8f35WPDQtnUCgYBoIbwARfcanY3nNeT2WqGgvZZ8YpVnHFdsAVtP
hxEySpZNj8w2NMi+2yUzmNgJeGN3mJUbwrtSpnTCp4q5v3c0SmpEt3gUrFmSx/e1
M+rMPBI88lLH8fbGVNxEzwvY73XWKDp153hnlFOmtoZy+zbo9e+b5K56HHdLIefV
4IYX4QKBgCmbunIgF80jh8KjeTH6fSt46LZqgJTB5DpxCuxKfU52L/3ZEPfDmOxb
7/+GSZA76C7igjbpYl5g47pGf3aMEFHz2T4VfUmWTJ9OCIzYrBRlAxzMJQVIJpPu
Rj5n/iyg4kwUKCgBcQVIRho9PRYmqsqQqC3/xXhSfc6Pcjhw3Q2R
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgIQEQb+49tSPm7wc6cPDoitLTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTIwNzE4
MDAwMDAwWhcNMTQwNzE5MjM1OTU5WjCBjDELMAkGA1UEBhMCRlIxDjAMBgNVBAgT
BVBBUklTMQ4wDAYDVQQHFAVQQVJJUzEkMCIGA1UEChQbR0lFIEFYQSBURUNITk9M
T0dZIFNFUlZJQ0VTMRgwFgYDVQQLFA9TRVJWSUNFIENPTlRST0wxHTAbBgNVBAMU
FHByZXZvbC5heGEtaXRhbGlhLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAsXfx5rMSu+BM6XuE/ewBuhEa9fN57r7hpOmYL5lON5uguR+t6F9l9h0T
KGAF27q2szy/GIvpSvOWCPhEZ1SUB9SAfBpeZM47dCCqyC91GnKTXiVh5w3YPK2A
/WJur3DeHkzI4/4J8joe6G8PJAEgsmVJ6mclQU6EQ5HZhEZ1bQdMaBlYLKRpRBvc
ZlIsYcw3mMDM9+9fVZNk3Ew8NA5iwZnjkyyxyJCnumXyxdfXEEK8024nHVPbwtOM
DT6KS4WMrIOZ8xelgHyfig7voqx0gjTffN81kFlAtxMTiuTme4d+OZ/OK7luaT2a
rBffM66CGJZOi9fFUj3rSJHblnMZrQIDAQABo4IBhDCCAYAwHwYDVR0RBBgwFoIU
cHJldm9sLmF4YS1pdGFsaWEuaXQwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAw
RQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL1NWUlNlY3VyZS1HMy1jcmwudmVyaXNp
Z24uY29tL1NWUlNlY3VyZUczLmNybDBDBgNVHSAEPDA6MDgGCmCGSAGG+EUBBzYw
KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUDURcFlNEwYJ+
HSCrJfQBY9i+eaUwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC52ZXJpc2lnbi5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9TVlJTZWN1cmUt
RzMtYWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cmVHMy5jZXIwDQYJKoZIhvcNAQEF
BQADggEBAHtvROLZir+tNcJbX2q+zI+thJxqXqIX00DV8K7gHCjwqhon+jxRdj8Y
OiybDWHb32Ov5ZwyTVpRUkw64QSrhvpVtjI+q5pil4iE0QA2AtK/G8x3M8gFIaYW
pBBTE7loXfEk6hxVBXcrG13VT0vE60TLyFDvGrFPLAkVx9DhX36HM/gbmgBASEcN
CjE7a+g6eW4CT2fNkPkoE+uV4A4+7DVL7Q8W+ftGvrh6302d06Fkt8N3Ma8rsv0V
vqRzKyeVm6XWu1A+DOCNdUk3Fhpd82twDwfRwzjMqtbAJsXlYA/soBJDzvv3q5nm
Z/2Tgd4J4uGoqFLG3xlKVsGK/Y2ioZc=
-----END CERTIFICATE-----

Then we paste the entire Notepad file contect into the ACTIVE ACE Load Balancer using the command:

LBA_Active# crypto import terminal cisqueros.blogger.com
Please enter PEM formatted data. End with "quit" on a new line.
*** paste the Notepad Content HERE!!! ***

TIP: You have to import the SSL certificate into BOTH of the ACE Balancers (Active and Standby) before you save the configuration

Check the certificates using the command:

LBA_Active# show crypto certificate cisqueros.blogger.com

If you need to delete the old certificate before or after installing a new one, use the following command:

LBA_Active(config)# crypto delete CERTIFICATE_NAME

VTP - Should we use it?

VLAN Trunking Protocol: most commands can be configured in PRIVILEGED, CONFIGURE or DATABASE mode

- Have in mind that there is no way to dis-configure the VTP DOMAIN NAME (by default its NULL). You have to delete flash:vlan.dat and erase the Startup config and reload the router

VTP messages source IP (the IP from which the VTP messages are sourced):
(config)#vtp interface Loopback 1 [only] <- It will not be propagated

Restrict FLOOD TRAFFIC to the TRUNK Interfaces - use VTP PRUNING>
There are 4 types of VTP Advertisments exchanged between the switches:
1. Summary Advertisments - every time VTP database changes (every 300 ms)
2. Subset Advertisments - sent right after SUMMARY, includes what exactly changed
3. Advertisments requested from clients - client requests info to update the VTP database, server responds
4. VTP Membership announcements - when PRUNING is enabled, they tell the neighbor WHAT VLANs they want (if the VLAN is not announced with this message, it is not on the trunk)

Check the PRUNING STATUS:
#show interfaces pruning
Pruning not currently enabled in this device's VTP administrative domain.

ENABLE PRUNING>
#vtp pruning <--- PROPAGATED TO ALL SWITCHES WITHIN THE VTP DOMAIN
Pruning switched on

*VLAN 1 CANNOT BE PRUNED!!!
**VLANs that are used locally also CANNOT BE PRUNED

Spanning Tree: Root Election and Path Tuning



The concept is rather simple - The Switches send these probes called the BPDUs (Bridge Protocol Data Units) to discover loops in the network. If the BPDU “returns” – there is a loop in the network!

BPDU = 4-bit-PRIORITY + MAC Address

Spanning tree is no game, so be extremely careful when tuning the Priorities, Costs and Port-Priorities in order to manually make the Switch set your desired path as preferred. Each problem and mis-configuration can easily cause a major critical situation, as most of the Layer2 Loop Problems cause your Switches to immediately increase the CPU usage drastically. For your own stress-free dreams be sure to test in the Pre-Production environment everything you need to change in your production network regarding the Spanning Tree.
I´m not going to get into the explaining the Spanning Tree basics here, as I guess most of the CCIE candidates should be familiar with it. The focus of this post will be the pure control of the Root Bridge in your network, and the preferred links.


Set the Root Bridge

There are two ways to set which Switch within your network will take the roll or the Root Bridge. They are both based on setting the priority parameter, and therefore the Bridge ID.


BRIDGE ID = PRIORITY* + VLAN No + MAC Address
*PRIORITY = N x 4096 (values between 0 and 61440, with 32768 being the mid-value chosen as a "default priority")

Remember about the STP: LOWER PRIORITY IS BETTER!!!


1st Way of setting the PRIORITY – SET PRIMARY/SECONDARY

(config)# spanning-tree vlan 1 root [primary | secondary]

Honestly I don’t like this way because theres a general confusion among the network engineers that this command somehow dynamically sets the Switch to maintain its role as a Root Bridge. It doesn’t!!! It just sets the priority value to the lower value that the CURRENT Root Bridge has (case of primary), or sets the FIXED value to the 28672 (case of secondary).


2nd way of setting the PRIORITY – Manual priority command

(config)# spanning-tree vlan 1 priority X*
*X = N x 4096 (values between 0 and 32768)


Personally I prefer this way, makes me that I´ve got much more control over the L2 network when I set the parameters myself, no automatic stuff and elections!

Be extremely careful when manually adjusting this parameter as it will totally alter your Layer 2 Switching Paths. What basically happens here is that each switch in the network does the following process:

1. Determine who the Root Bridge is
2. Find the shortest path to the Root Bridge looking at the COST parameter
1. Block all the other paths*

*In the basic version of the Per-VLAN Spanning Tree Protocol, 802.1D the ports have one of the following states:

- ROOT Port – Used to reach the Root Bridge (Port TOWARDS the Root Bridge)
DESIGNATED Port – Forwarding Port (One-Per-Link, Port AWAY from the Root Bridge)
BLOCKING (Non-DESIGNATED) Port – the link where “the tree fell”

On the NEWER versions of this protocol, such as Rapid STP (802.1w) two new port roles are introduced instead of the BLOCKING port:

-      ALTERNATE Port – The improvement where the Switch actually “remembers” its alternative path to reach the Root Bridge in order to failover immediately in case the primary link goes down
-      EDGE Port – towards the NON-SWITCH devices, has portfast feature configured

Link Cost

You´ve already chosen the Root Bridge, everything is fine, but for some reason – you don’t want your traffic to prefer a certain link… Why? Well, maybe you´ve got insider information that the cable is bad, that the cleaning lady sometimes unplugs it by accident, or… well, or you simply consider it better for your design. Cisco allows you to manually set the COST of one link to a higher value so that the other link is chosen as the preferred, and that way you gain the control of the Root Port election on your switch. 



This is a GNS3 diagram of 3 Switches, and it will serve for this example. Lets say SW3 is the Root Bridge, and all the links are 100Mbps, which would be the COST of 19. Naturally the SW1 chooses the direct link towards the SW3 cause it costs him 19 to get there.

Lets sat that for some reason we want to force the SW1 to use the other path to reach the SW3 (the link SW1-SW2-SW3). The cost of that link is 38, so what do we do? We set the cost of the direct link SW1-SW3 to the value greater than 38. Let’s go with the value of 39:

(config-if)# spanning-tree vlan 1 cost 39


*Notice that the configuration is done on the Interface level



Port Priority

This command is used only when there are more ways to reach the SAME SWITCH. Sometimes it’s a tie-breaker so be careful, it determines which ports are in the FWD and which in the BLK state. The default port priority is 128, so you need to define the lower value in order for the link to be preferred. The value range is between 0 and 255.


Check the output of the *show spanning tree interface x details* command on the Cat2 device:



Cat1(config-if)#spanning-tree vlan 1 port-priority 64
Cat2#show spanning-tree vlan 1 int fa0/24 detail Port 24 (FastEthernet0/24) of VLAN0001 is root forwarding   Port path cost 19, Port priority 128, Port Identifier 128.24.   Designated root has priority 24577, address 0018.1820.2700   Designated bridge has priority 24577, address 0018.1820.2700   Designated port id is 64.26, designated path cost 0   Timers: message age 2, forward delay 0, hold 0   Number of transitions to forwarding state: 2   Link type is point-to-point by default   BPDU: sent 1993, received 697

The important thing is that the UPSREAM value needs to be changed because it’s the RECEIVED port priority that really matters! For the port to be preferred we need to set a smaller value on the Cat1 device, so let’s go with 64:

And when we check the output of the *show spanning tree interface x details* command again:

Cat2#show spanning-tree vlan 1 interface fa0/24 details
Port 24 (FastEthernet0/24) of VLAN0001 is alternate blocking
Port path cost 19, Port priority 128, Port Identifier 128.24.
Designated root has priority 24577, address 0018.1820.2700
Designated bridge has priority 24577, address 0018.1820.2700
Designated port id is 128.26, designated path cost 0
Timers: message age 1, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
BPDU: sent 1992, received 306

For more details please check the Cisco official Spanning Tree Configuration reference: Cisco Configuration Guide

Most Popular Posts